[asterisk-commits] bebuild: tag 1.8.32.1 r428431 - in /tags/1.8.32.1: ./ ChangeLog funcs/func_db.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu Nov 20 10:44:24 CST 2014 

Author: bebuild
Date: Thu Nov 20 10:44:21 2014
New Revision: 428431

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=428431
Log:
Merge 428331 for AST-2014-018

Modified:
    tags/1.8.32.1/   (props changed)
    tags/1.8.32.1/ChangeLog
    tags/1.8.32.1/funcs/func_db.c

Propchange: tags/1.8.32.1/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Nov 20 10:44:21 2014
@@ -1,2 +1,2 @@
-/branches/1.8:427380,428402
+/branches/1.8:427380,428331,428402
 /trunk:394552,394567

Modified: tags/1.8.32.1/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.32.1/ChangeLog?view=diff&rev=428431&r1=428430&r2=428431
==============================================================================
--- tags/1.8.32.1/ChangeLog (original)
+++ tags/1.8.32.1/ChangeLog Thu Nov 20 10:44:21 2014
@@ -10,6 +10,19 @@
 
 	  ASTERISK-24469 #close
 	  Reported by Matt Jordan
+
+	* AST-2014-018 - func_db: DB Dialplan function permission escalation
+	  via AMI.
+
+	  The DB dialplan function when executed from an external protocol
+	  (for instance AMI), could result in a privilege escalation.
+
+	  Asterisk now inhibits the DB function from being executed from an
+	  external interface if the live_dangerously option is set to no.
+
+	  ASTERISK-24534
+	  Reported by: Gareth Palmer
+	  patches: submitted by Gareth Palmer (license 5169)
 
 2014-11-10  Asterisk Development Team <asteriskteam at digium.com>
 

Modified: tags/1.8.32.1/funcs/func_db.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.32.1/funcs/func_db.c?view=diff&rev=428431&r1=428430&r2=428431
==============================================================================
--- tags/1.8.32.1/funcs/func_db.c (original)
+++ tags/1.8.32.1/funcs/func_db.c Thu Nov 20 10:44:21 2014
@@ -282,7 +282,7 @@
 {
 	int res = 0;
 
-	res |= ast_custom_function_register(&db_function);
+	res |= ast_custom_function_register_escalating(&db_function, AST_CFE_BOTH);
 	res |= ast_custom_function_register(&db_exists_function);
 	res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ);

More information about the asterisk-commits mailing list